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Amendments to the Claims 

1 Claim 1 (currently amended): A computer program product for enabling an identity change 

2 during a certificate-based host access session, said computer p rogr a m product embodied on a 

3 computer-readable medium and comprising: 

4 computer-readable program code means for processing a first sign-on during a secure 

5 session using a digital certificate, further comprising: 

6 computer-readable program code means for establishing said secure session from a 

7 client machine to a server machine using said digital certificate, wherein said digital certificate 

8 represents an identity of said client machine or a user thereof; 

9 computer-readable program code means for storing said digital certificate or a 

1 0 reference thereto at said server machine; 

1 1 computer-readable program code means for establishing a session from said server 

1 2 machine to a host system using a legacy host communication protocol, responsive to receiving, at 

13 said server machine, a first sign-on request from said client machine, wherein said first sign-on 

14 request identifies a first secure legacy host application to which said first sign-on is requested : 

1 5 computer-readable program code means for passing said stored digital certificate 

16 or said reference from said server machine to a host access security system; 

1 7 computer-readable program code means, operable in said host access security 

1 8 system, for authenticating said identity using said passed digital certificate or a retrieved 

1 9 certificate which is retrieved using said reference; 

2 0 computer-readable program code means., operafrle in sai d host access security 

2 1 system, for using said passed or retrieved digital certificate to locate access credentials for said 
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22 user, 

2 3 computer-readable program code mean s^ operable to said host access security 

2 4 system, for accessing a stored password or generating a password substitute representing said 

2 5 located credentials; 

26 computer-readable program code means, operable in said host acc ess security 

27 system for returning said stored password or gene rated password substitute to said server 

28 machine, along with a first user identifier corresponding to said located credentials: and 

2 9 computer-readable program code mean s, operable in said server machine, for using 

3 0 said reflrrngd stored password or said genera t ed password substitute and said returned first user 
Qj 3 1 identifier to transparently complete said first sign-on. on behalf of said user of said client machine. 

32 to [[a]] said first secure legacy host application executing at said host system; and 

3 3 computer-readable program code means for processing a second sign-on during said 

34 secure session, without requiring e stablishment of a new secure session between said client 

3 5 machine and <mid serv er machine, using a second digital certificate [[for]] that represents a second 

3 6 identity, wlw. i c.iu said second ri gn^on r e q ue st s access t o said secure lega c y h o st application oi a 

3 7 different legacy lwst applica t ion by aaid mu ui by a diflliutt uau, further comprising: 

3 8 computer-readable program code means for receiving a second sign-on request at 

39 said server machine from said client machine, where in: (V\ said second sign-on request identifies 

40 a second secure legacy host application to which said second sign-on is requested; n\ ««id tp **** 

4 1 sign-on, request, fochides [[using]] said second digital certificat e, or a second certificate reference 

4 2 that references said sec ond digital certificate, for said second identit y: (T> said second secure 
43 legacy host application may be identical to said first secu r e legacy host application: and (A\ said 
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44 second identity is for a second user, wherein said second user mav be identical to said user: 
4 5 computer-readable program code means for passing said second digital certificate 

4 6 or [[a]] said second certificate reference from said server machine to said host access security 

47 system; 

4 8 computer-readable program code means, operable in said host access security 

4 9 system, for authenticating said second identity using said passed second digital certificate or a 

5 0 second retrieved certificate which is retrieved using said second certificate reference; 

51 computer-readable program code means, operable in said host access security 

A 52 system, for using said passed second digital certificate or said second retrieved certificate to 

VhJ 5 3 locate second access credentials for said second user: 

5 4 computer-readable program code mean s, operable in said host access security 

5 5 system, for accessing a second stored password or generating a second password substitute 

5 6 representing said second located credentials; 

57 computer-readable program code means, operable in said host access security 

58 system, for returning said second stored password or second generated password substitute to 

59 said server machine, along with a s econd user identifier corresponding to said second located 

60 credentials; and 

6 1 computer-readable program code means, operable in said server machine, for using 

62 said returned second s to red password or [[said]] second password substitute and said returned 
g 3 second user identifier to transparently complete said second sign-on. on behalf of said second user 

64 of said client machine, to said second secure legacy host application executing at said host system 

65 o r said diflcitnt legacy h o s t application . 
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1 Claim 2 (currently amended): The computer program product as claimed in Claim 1 , wherein said 

2 digital certificate [[is an]] and said second difflt^cettijScate_are X.509 certificate certificates and 

3 said digital certificate reference and second certificate reference are references to an X.509 

4 certificate. 



0^ 



1 Claim 3 (original): The computer program product as claimed in Claim 1 , wherein said 

2 communication protocol is a 3270 emulation protocol 

» 

1 Claim 4 (original); The computer program product as claimed in Claim 1, wherein said 

2 communication protocol is a 5250 emulation protocol 

1 Claim 5 (original): The computer program product as claimed in Claim 1 , wherein said 

2 communication protocol is a Virtual Terminal protocol 



1 Claim 6 (original): The computer program product as claimed in Claim 3, wherein said host 

2 access security system is a Resource Access Control Facility (RACF) system. 

1 Claim 7 (currently amended): The computer program product as claimed in Claim 1, wherein said 

2 computer-readable program code means for processing said second sign-on further comprises 

3 computer-readable program code means for storing said second digital certificate at said server 

4 machine. 
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1 Claim 8 (currently amended): The computer program product as claimed in Claim I , wherein: 

2 said computer-readable program code means for processing said first sign-on further 

3 comprises: 

4 computer-readable program code means for requesting by said first secure legacy 

5 host application, responsive to said computer-readable program code means for establishing said 

6 session, first sign-on information for said user; aad 

7 computer-readable program code means for responding to said request for first 
!\ 8 sign-on information by sending a first sign-on message with placeholders from said client machine 

9 to said server machine, said placeholders representing a user identification and a password of said 

10 user; and 

11 said comoirter-readable program code means for using said returned password or 

12 password substitute and said returned first user identifier tp transparently complete said first sign- 

13 on further comprises: 

1 4 computer-readable program code means for substituting [[a]] said returned user 

1 5 identifier a&wciat e ehwith said loca t ed acc e ss credentials and said s tore d returned, password or said 

1 6 generated password substitute for said placeholders in said first sign-on messag e, thereby creating 

17 a revised first sign-on messag e: and 

18 computer-readable program code means for forwarding said revised first sign-on 

19 message from said ser ver machine to said first secure legacy host application. 

20 said ujnipu t crT&adabte p ro g r am code means fo r p r ocessing said second sigj n ron fmihu 

21 comprises? 
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22 eomputer*readablc pro gr am c o de means for i^ucating, by said lega c y hos t 

23 a p plicat io n, second sign -u u infumiation for said second identi t y; 

24 umqiuteiMeadabl c pr o gram code means fin ' ie$pooding to said reques t fo r second 

25 sigiv o n infotma t i o n by scjiding a second sign-on message with placeholders fro m said xfcnt 

26 inadiin c t o said server machine, said p laceh o lder x e pji e seuting a dif fe ren t user identifica t ion and a 

27 different pas&woid of said second id e nti t y; and 

28 compu t cwcadablc program code means " fox substiLutiag said second user iden t ifier 

29 associated with said sec o nd access u e d e jutkk and said second s to red password or sa i d sec o nd 
^ A 30 pas s word substi t ute fo r said placeholders in said secon d sign-o n m e ssag e , 

o 

1 Claim 9 (currently amended); A system for enabling an identity change during a certificate-based 

2 host access session, comprising; 

3 means for processing a first sign-on during a secure session using a digital certificate,, 

4 further comprising: 

5 means for establishing said secure session from a client machine to a server 

6 machine using said digital certificate, wherein said digital certificate represents an identity of said 

7 client machine or a user thereof; 

8 meat© for storing said digital certificate or a reference thereto at said server 

9 machine; 

1 0 means for establishing a session from said server machine to a host system using a 

1 1 legacy host communication protocol responsive to receiving, at said server machine, a first sifm- 

12 on request from said client machine, wherein said first sign-on request identifies a first secure 
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13 legacy host application to which said first sign-on is requested: 

1 4 means for passing said stored digital certificate or said reference from said server 

15 machine to a host access security system; 

1 6 means, operable in said host access security system, for authenticating said identity 

1 7 using said passed digital certificate or a retrieved certificate which is retrieved using said 

18 reference; 

19 means, operable in said host access security system, for using said passed or 
2 0 retrieved digital certificate to locate access credentials for said user, 

*\ 21 mean s, operable in said host access security system, for accessing a stored 

22 password or generating a password substitute representing said located credentials; 

23 megns, pperebfe fa safl ftpst access ?e<?urfty gygtep^ for retui^ing paid stored 

24 password or generatec^^ t<? gai4 sqrvqr yrachine, alqpg wjjth afrsliiseip 

25 identifier corresponding to said located credentials: and 

2 6 means, operable in said server machine, for using said returned s tor ed password or 

2 7 sai d genera ted password substitute and said returned first user identifier to transparently complete 

2 8 said first gipn-nn n nn hehalf n f said user of said client machine, to [[a]] said first secure legacy host 

2 9 application executing at said host system; and 

3 0 means for processing a second sign-on during said secure sessio n, without requiring 

31 establishment of a new secure session between said client machine and said server machine, using 

32 a second digital certificate [[for]] that represents a second identity, wherein - said second s i gjvou 

33 r eques t s access to said secure legacy hos t application or a different legacy hos t a p plicati o n by said 
3 4 ugcr or by a different uaci, fu rther comprising: 
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3 5 means for receiving a second sign-on reques *._at said server machine from said 

36 client machine, wherein: m said se cond sign-on request identifies a second secure legacy host 

37 application to which said second sign-on is requested: (2) said second sign-on request includes 

38 [[using]] said second digital certificate, or a second certificate reference that references said 

39 second digital certificate, for said second identity; (3) said second secure legacy host application 

40 may be identical to said fir st secure legacy host application: and (4) said second Identity is for a 

41 second user, wherein said second user may be identical to said user: 

4 2 means for passing said second digital certificate or [[a]] said second certificate 
M3 reference from said server machine to said host access security system; 



4 4 means, operable in said host access security system, for authenticating said second 

4 5 identity using said passed second digital certificate or a second retrieved certificate which is 

4 6 retrieved using said second certificate reference; 

4 7 means, operable in said host access security system, for using said passed second 

4 8 digital certificate or said second retrieved certificate to locate second access credentials for said 
49 second user: 

5 0 means, operable in sa id host access security system, for accessing a second stored 

5 1 password or generating a second password substitute representing said second located 

52 credentials; 

53 means, operable in said host acce ss. security system, for returning said second 

54 stored password or second generated password substi tute to said server machine, along wid^g 

55 second user identifier rorrespnndinff tn jsaid second located credentials; and 

56 tneans^operable m said server macbine 1 fhr itsmp ^iH ^iirn^ Ttrrtrrt 
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5 7 password or [[said]] second password substitute and said returned second user identifier to 

5 8 transparently complete said second sign-on. on behalf of said second user of said cKeqt mgchfne n 

59 to said second secure legacy host application executing at said host system o t Mid diflti &ul legacy 

60 boa t application 

1 Claim 10 (currently amended): The system as claimed in Claim 9, wherein said digital certificate 

2 and said second digital certificate are [[is an]] X.509 certificat e certificates and said digital 

3 certificate reference and second certificate reference are references to an X.509 certificate. 

1 Claim 1 1 (original): The system as claimed in Claim 9, wherein said communication protocol is a 

2 3270 emulation protocol. 

1 Claim 12 (original): The system as claimed in Claim 1 1, wherein said host access security system 

2 is a Resource Access Control Facility (RACF) system. 

1 Claim 13 (currently amended): The system as claimed in Claim 9, wherein said means for 

2 processing said second sign-on further comprises means for storing said second digital certificate 

3 at said server machine . 

1 Claim 14 (currently amended): The system as claimed in Claim 9, wherein: 

2 said means for processing said first sign-on further comprises: 

3 means for requesting by said first secure legacy host application, responsive to said 
Serial No. 09/619,912 -15- Docket RSW9-2000-0081-US1 
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4 means for establishing said session, first sign-on information for said user; mid 

5 means for responding to said request for first sign-on information by sending a first 

6 sign-on message with placeholders from said client machine to said server machine, said 

7 placeholders representing a user identification and a password of said user; and 

8 said means for using said returned password or password substitute and said returned first 

9 user identifier to transparently complete said first sign-on further comprises: 

1 0 means for substituting [[aJJ said returned user identifier associated with said 

1 1 l o ca t ed access c r ede nt ials and said st o r e d returnej password or s aid genera t ed password 

1 2 substitute for said placeholders in said first sign-on messag e, thereby creati ng a revised fr^t sign- 

13 on message : and 

14 means for forwarding^said revise d first si^n -on message from said server mach ine 

15 to said first secure legacy host application. 

16 said means fo r processing Mid s e cond si g n -o n f urthe r comprises: 

17 means fo r reques t ing, by said le g acy tost application, secoi*! sig fl r o n information 

18 for said second id e nt i ty, 

19 — ™ means for resp o nding to said request fo r s e cond sign - on i nfo rmation by sending a 

20 second sign^n message w i th p laceh o lders fr o m said client machine to said server machin e , said 

21 placeholders representing a diff e rent uset i dcutlGcaliuu and a diJTci tut passw o rd of said sec o nd 

22 iden t ity; AitJ 

23 means foi substituting said second user iduHifiu associated with said sec o nd 

24 acc e ss credentials and said second sto red passwoid oi said s e cond password s ubstitute fui said 

25 p lacehol d e r s in said sec o nd sign-on- message.. 
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1 Claim 1 5 (currently amended): A method for enabling an identity change during a certxficate- 

2 based host access session, comprising the steps of: 

3 processing a first sign-on during a secure session using a digital certificate, further 

4 comprising the steps of: 

5 establishing said secure session from a client machine to a server machine using 

6 said digital certificate, wherein said digital certificate represents an identity of said client machine 

7 or a user thereof, 

^ 8 storing said digital certificate or a reference thereto at said server machine; 

9 establishing a session from said server machine to a host system using a legacy 

1 0 host communication protoco l. resix)nsivejp_recgiyi ng 1 at said server ma chine^ a fi rst sign-on 

11 request from said client machine, wherein said first sign-on request identifies a first secure legacy 

12 host application to which said first sign-on is requested: 

1 3 passing said stored digital certificate or said reference from said server machine to 

14 a host access security system; 

1 5 authenticating, by said host access security system, said identity using said passed 

1 6 digital certificate or a retrieved certificate which is retrieved using said reference; 

1 7 using J?y said host access security system, said passed or retrieved digital 

1 8 certificate to locate access credentials for said user; 

1 9 accessing, by said host access security system, a stored password or generating a 
2 0 password substitute representing said located credentials; 

21 returning, by said hos t access security system, said stored password or generated 
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22 password s ubstitute to said server machine, along with a first user identifier corresponding to said 

23 located credentials: ami 

24 usin g, by said server machine, said returned stored password or Mid eeiiciat c d 

2 5 password substitute and said returned first user identifier to transparently complete said first sign- 

2 6 on, on behalf of said u ser of said client machine, to [[a]] said first secure legacy host application 

2 7 executing at said host system; and 

2 8 processing a second sign-on during said secure sessio n, without requ iring estab lishment of 

29 a new secure session between said client machine and said server machine, using a second digital 

3 0 certificate [[for]] that represents a second identity, wherein said sec o nd sign^on r equests access to 

31 said secure legacy h o st application or a difl e iml legacy host applica t i o n by said - user o r by a 

32 diffe r ent user, f urther comprising the steps of: 

33 receiving a second sign-on request at said server machine from said client 

34 machine, wherein: ( n said second sign-on request identifies_a_second secure legacy host 

35 application to which said second sign-on is requested: f 2\ said second sign-on request includes 

3 6 [[using]] said second digital certificat e, or a second certificate reference that references said 

37 second digital certificate, for said second identit y: f3^ said second secure legacy host application 

38 mav be identical to said first secure legacy host application: and f41 said second identity is for a 

39 second user, wherein said second user my be identical to said user : 

4 0 passing said second digital certificate or [[a]] gaid second certificate reference from 
4 1 said server machine to said host access security system; 

4 2 authenticating, by said host access security system, said second identity using said 

4 3 passed second digital certificate or a second retrieved certificate which is retrieved using said 
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4 4 second certificate reference; 

4 5 using, by said host access security system, said passed second digital certificate or 

4 6 said second retrieved certificate to locate second access credentials for said second user : 
47 accessing, bv said host access security system, a second stored password or 

4 B generating a second password substitute representing said second located credentials; 

49 returning, bv said host access security system, said second stored password or 

50 second generated password substitute to said server machine, along with a second identifier 

51 corresponding to said second located credentials: and 

5 2 using, fry saifl machine, said returned second s to red password or [[said]] 
53 second password substitute and said returned second user identifier to transparently complete said 



5 4 second sign-o n, on behalf of said second user of said client machine, to said second secure legacy 

55 host application executing at said host syst em or Mid diffuuil legacy hos t ap p licati o n . 

1 Claim 16 (currently amended): The method as claimed in Claim 15, wherein said digital 

2 certificate and said second digital certificate are (ps an]] X.509 certificate certificates and said 

3 digital certificate reference and second certificate reference are references to an X.509 certificate. 

1 Claim 1 7 (original): The method as claimed in Claim 1 5, wherein said communication protocol is 

2 a 3270 emulation protocol 

1 Claim 18 (original): The method as claimed in Claim 17, wherein said host access security system 

2 is a Resource Access Control Facility (RACF) system. 
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1 Claim 19 (currently amended): The method as claimed in Claim 15, wherein said step of 

2 processing said second sign-on further comprises the step of storing said second digital certificate 

3 at said server machine. 

1 Claim 20 (currently amended): The method as claimed in Claim 1 5, wherein: 

2 said step of processing said first sign-on further comprises the steps of. 

3 requesting by said first secure legacy host application, responsive to said step of 

4 establishing said session, first sign-on information for said user; 

^ 5 responding to said request for first sign-on information by sending a first sign-on 

6 message with placeholders from said client machine to said server machine, said placeholders 

7 representing a user identification and a password of said user; and 

8 said step of using said returned password or password substitute and said returned first 

9 user identifier to transparently complete said first sign-on fiirther comprises the steps of: 

1 0 substituting [[a]J said returned user identifier ass o ciat e d with said lo cat e d access 

1 1 cieduiliak and said returned stored password or Mid generated password substitute for said 

12 placeholders in said first sign-on messag e, thereby creating a revised first sign-p t? message- and 

13 forwarding said revised first sign-on message from said server machine to said first 

14 secure legacy host application. 

15 said step ofpimuAii i g said second signal fmllmr conipiisca the st e ps o£ 

16 rcqm&liiig, by said legacy host application, second sign-on hxfoxmaliuiA fui sa id 

17 second iden t ity, 
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18 i e spouding to said request for second Mgn -o ii informa t ion b y seiuliug a second 

19 sigtnuu miaaage with placeholde r s from aid eliu i t machine to said serve* niaehmcrsatd 

20 placeholders iiyi uniting a diflliuit uaci idei>lificatiuu ami a JifluuH pabawurd o f said sec o nd 

21 identi t y; and 

22 s ubstituting &aiU Atujud usu iduiUfler a&MKiated with said second access 

23 credentials aud said seeoud Aimed pa&swuid or said second password substitu t e for said 

24 placeh o lders in said second sig i i 'O u message. 

1 Claim 21 (new): The computer program product as claimed in Claim 1, wherein: 

2 said computer-readable program code means for processing said second sign-on further 
^ 3 comprises computer-readable program code means for receiving, at said server machine, a second 

4 sign-on message sent from said client machine, wherein said second sign-on message has 

5 placeholders representing a user identification of said second user and a password of said second 

6 user; and 

7 said computer-readable program code means for using said returned second password or 

8 second password substitute and said returned second user identifier to transparently complete said 

9 second sign-on further comprises: 

1 0 computer-readable program code means for substituting said returned second user 

1 1 identifier and said returned second password or second password substitute for said placeholders 

12 in said second sign-on message, thereby creating a revised second sign-on message; and 

1 3 computer-readable program code means for forwarding said revised second sign- 

14 on message from said server machine to said second secure legacy host application. 
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1 Claim 22 (new): The computer program product according to Claim 1, wherein said second sign- 

2 on request includes information usabte as proof that said second user owns said second digital 

3 certificate. 

1 Claim 23 (new): The computer program product according to Claim 22 3 wherein said proof 

2 further comprises a random seed value and a sequence number concatenated thereto by said client 

3 machine to detect replay attacks, wherein said random seed value was previously sent from said 

4 server machine to said client machine. 

1 Claim 24 (new): The computer program product according to Claim 23, wherein said 

2 identification of said second secure legacy host application is also concatenated to said random 

3 seed value. 

1 Claim 25 (new): The computer program product according to Claim 23, wherein a digital 

2 signature computed using a private key associated with said second digital certificate is included 

3 in said second sign-on request, said digital signature covering said random seed value ami said 

4 concatenated sequence number. 

1 Claim 26 (new); The computer program product according to Claim 24, wherein a digital 

2 signature computed using a private key associated with said second digital certificate is included 

3 in said second sign-on request, said digital signature covering said random seed value, said 
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4 concatenated sequence number, and said concatenated identification of said second secure legacy 

5 host application. 

1 Claim 27 (new): The system as claimed tn Claim 9, wherein: 

2 said means for processing said second sign-on further comprises means for receiving, at 

3 said server machine, a second sign-on message sent from said client machine, wherein said second 

4 sign-on message has placeholders representing a user identification of said second user and a 

5 password of said second user, and 

6 said means for using said returned second password or second password substitute and 

7 said returned second user identifier to transparently complete said second sign-on further 

*\ 

v 8 comprises: 



9 means for substituting said returned second user identifier and said returned 

1 0 second password or second password substitute for said placeholders in said second sign-on 

1 1 message, thereby creating a revised second sign-on message; and 

12 means for forwarding said revised second sign-on message from said server 

1 3 machine to said second secure legacy host application. 

1 Claim 28 (new); The method as claimed in Claim 1 5 ? wherein: 

2 said step of processing said second sign-on further comprises the step of receiving, at said 

3 server machine, a second sign-on message sent from said client machine, wherein said second 

4 sign-on message has placeholders representing a user identification of said second user and a 

5 password of said second user; and 
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6 said step of using said returned second password or second password substitute and said 

7 returned second user identifier to transparently complete said second sign-on further comprises 

8 the steps of: 

9 substituting said returned second user identifier and said returned second password 

10 or second password substitute for said placeholders in said second sign-on message, thereby 

1 1 creating a revised second sign-on message; and 

1 2 forwarding said revised second sign-on message from said server machine to said 

1 3 second secure legacy host application. 



(y 



1 Claim 29 (new): A cwmpirter-implemented method for enabling an identity change during a 

^ 2 certificate-based host access session, comprising steps of: 

3 establishing a secure session between a client and a server using a digital certificate owned 

4 by a user of said client; 

5 remembering said digital certificate at said server; 

6 completing a first sign-on to a host application, by said server on behalf of said user, 

7 responsive to receiving an asynchronous sign-on request from said client that identifies said host 

8 application,, further comprising the steps oft 

9 using said remembered digital certificate to authenticate said user to a host access 

1 0 security component; 

11 tf 9 ^ user « authenticated, locating, by said host access security component, 

12 access credentials of said user; 

13 creating, by said host access security component, a passticket that represents said 
Serial No. 09/619,912 -24- Docket RSW9-200<MK)8MJS1 
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1 4 located access credentials; 

15 returning said passticket from said host access security component to said server, 

1 6 along with a user identifier associated with said located access credentials; and 

1 7 inserting, by said server, said passticket and said user identifier into a log-on 

1 8 message in place of placeholders therefor, when said log-on message is received at said server 

1 9 from said client, thereby creating a revised log-on message that is then sent from said server to 

20 sign said user on to said host application; and 

2 1 completing a second sign-on to a second host application, by said server on behalf of a 

22 second user, responsive to receiving a second asynchronous sign-on request from said client that 
^ 23 identifies said second host application, wherein said second host application may be identical to 

2 4 said host application and said second user may be identical to said user, further comprising the 

25 steps of: 

2 6 using a new digital certificate and proof therefor to authenticate said second user 

27 to said host access security component, wherein said new digital certificate and said proof 

2 8 therefor are included in said second asynchronous sign-on request; 

2 9 if said second user is authenticated, locating, by said host access security 

3 0 component, access credentials of said second user; 

3 1 creating, by said host access security component, a second passticket that 

32 represents said located access credentials of said second user; 

33 returning said second passticket from said host access security component to said 

34 server, along with a second user identifier associated with said located access credentials of said 
3 5 second user; and 
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3 6 inserting, by said server, said returned second passticket and said returned second 

37 user identifier into a second log-on message in place of placeholders therefor, when said second 

3 8 log-on message is received at said server from said client, thereby creating a revised second log- 

39 on message that is then sent from said server to sign said second user on to said second host 

40 application. 
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